package keter.sec.sql.controller;

import com.jfinal.kit.JsonKit;
import com.jfinal.plugin.activerecord.Db;
import com.jfinal.plugin.activerecord.Record;
import keter.sec.sql.base.BaseConfig;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;

@Controller
public class SqlController extends BaseConfig{

	@RequestMapping("/")
	public void welcome(HttpServletRequest request,HttpServletResponse response) throws IOException {
		response.sendRedirect("sql.html");
	}

//	@RequestMapping("/")
//	public String welcome(HttpServletRequest request,HttpServletResponse response) throws IOException {
//		return "index";
//	}

	/**
	 * attack success:
	 sqlmap -u "http://192.168.175.61:7777/query?value=*" --dbms hsql
	 * @param request
	 * @param response
	 * @return
	 * @author  gulx@neusoft.com
	 * @date    2016年12月7日
	 */
	@GetMapping("/query")
	@ResponseBody
	public String queryName(HttpServletRequest request,HttpServletResponse response) throws ServletException{
		List<Record> rlist;
		String name = request.getParameter("value");
//		try {
		rlist = queryByName(name);
//		} catch (Exception e) {
//			e.printStackTrace();
//			return "error";
//		}
		return rlist!=null?JsonKit.toJson(rlist):"empty";
	}

	@GetMapping("/queryerror")
	@ResponseBody
	public String queryError(HttpServletRequest request,HttpServletResponse response) throws Exception {
		List<Record> rlist = null;
		String name = request.getParameter("value");
		try {
			rlist = queryByName(name);
		} catch (Exception e) {
			throw e;
		}
		return rlist!=null?JsonKit.toJson(rlist):"empty";
	}

	/**
	 * attack success:
	 sqlmap -u "http://192.168.175.61:7777/query?value=*" --dbms hsql
	 * @param request
	 * @param response
	 * @return
	 * @author  gulx@neusoft.com
	 * @date    2016年12月7日
	 */
	@GetMapping("/queryerrorblind")
	@ResponseBody
	public String queryErrorBlind(HttpServletRequest request,HttpServletResponse response) {
		List<Record> rlist;
		String name = request.getParameter("value");
		rlist = queryByName(name);
		return rlist!=null?JsonKit.toJson(rlist):"empty";
	}

	/**
	 attack failure:
	 sqlmap -u "http://192.168.175.61:7777/query/maxlen?value=*" --dbms hsql
	 appscan判定有漏洞但sqlmap无法注入成功
	 * @param request
	 * @param response
	 * @return
	 * @throws ServletException
	 * @author  gulx@neusoft.com
	 * @date    2016年12月19日
	 */
	@GetMapping("/query/maxlen")
	@ResponseBody
	public String queryOne(HttpServletRequest request,HttpServletResponse response) throws ServletException{
		List<Record> rlist;
		String name = request.getParameter("value");
		if(name.length()>=30){
			return "too lang";
		}
		try {
			rlist = queryByName(name);
		} catch (Exception e) {
			e.printStackTrace();
			return "error";
		}
		return rlist!=null?JsonKit.toJson(rlist):"empty";
	}

	/**
	 * 模拟查询条件中完整拼接where条件的场景
	 * http://10.170.6.46:7777/querywhere?value=(name='haha')
	 * ATTACK:
	 sqlmap -u "http://10.170.6.46:7777/query?value=haha*" --current-user
	 sqlmap -u "http://10.170.6.46:7777/query?value=haha*" --dbms Oracle --current-user
	 * PAYLOAD of current-user:
	 http://10.170.6.46:7777/query?value=haha%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7170767871,IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20),0x717a767171),NULL,NULL--%20DYff
	 * @param request
	 * @param response
	 * @return
	 * @throws ServletException
	 */
	@GetMapping("/querywhere")
	@ResponseBody
	public String queryWhere(HttpServletRequest request, HttpServletResponse response)
			throws ServletException {
		List<Record> rlist;
		String name = request.getParameter("value");
		try {
			rlist = queryByWhere(name);
		} catch (Exception e) {
			return "{}";
		}
		return rlist!=null?JsonKit.toJson(rlist):"empty";
	}

	private List<Record> queryByName(String name){
		String sql = "select * from org_user where name='"+ name +"'";
		System.out.println(sql);
		return Db.find(sql);
	}

	private List<Record> queryByWhere(String where){
		String sql = "select * from org_user where " + where;
		System.out.println(sql);
		return Db.find(sql);
	}

	@ExceptionHandler(Exception.class)
	@ResponseStatus(HttpStatus.BAD_REQUEST)
	public @ResponseBody String handleMyRuntimeException(Exception exception) {
		return ExceptionUtils.getStackTrace(exception);
//		return "error - something went wrong!";
	}
}